Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.

SOLVED Is the (Cloudflare) auto-DNS setup secure using "DNS Only", as opposed to "Proxied"

  • "DNS Only" exposes the server IP address.

    Doesn't this make DDOS on the server IP more likely if an attacker bypasses the Cloudflare WAF on the domain to go straight for the server IP?

  • Staff

    @marcuswquinn Yes, the default setup is simply to setup the DNS to point to the server IP. One can enable provider specific options like Proxied mode, WAF etc from the Cloudflare's control panel. If you switch to Proxied, Cloudron won't overwrite flag during future DNS operations (there is special code for this)

    The default is chosen for various reasons:

    • Email server does not work with cloudflare proxying since cloudflare will only proxy http. Email server is used a lot on Cloudron.

    • SFTP does not work

    • A typical support request we get is people trying to SSH into the server as ssh and then telling us the server is unreachable. We have to then tell them it's because of cloudflare proxying.

    • Many users (of cloudflare) don't understand the implications of proxying i.e all traffic goes via Cloudflare now and Cloudflare can read it. Whether this is a privacy issue or not, is entirely based on whether you trust Cloudflare.

    With this in mind, we decided it's not our decision to make and it's best if customer makes this choice explicitly by themselves instead of us doing this auto-magically. Maybe, we can add an option to turn this on in Cloudron's control panel (if only for convenience)? I am open to other ideas.

  • @girish I seeeeee! You've thought all this through before! OK, I learned new things from your explanation.

    Prob one just for the documentations then unless you think a per-App setting would be easy enough? It's only saving going into Cloudflare to delete and re-add the records but then my next research is going to be into

    TBH as I think Cloudflare is more a pied-piper following for their good marketing than for the essentials that are often better handled at the host (like Anti-DDoS, for which I do like Hetzner covering on the network level).

  • App Dev

    Figured it'd be better to revive this thread than to start a new one at the moment, but given the split of box vs app concerns, and the new addition of being able to separate the mail server from the my subdomain, it seems more likely that the option to check a box for setting up proxied records could be added for the cloudflare dns provider.

  • Staff

    @jimcavoli Yes, I think that's a good idea. Can you open a new thread in ?

  • App Dev

    @girish if you guys decide to implement a checkbox for this, I strongly suggest a warning message to warn the users that Cloudflare will be able to read all their traffic.

  • App Dev